June 01, 2018 Feature

Autonomous Vehicles: 3 International Regulatory Discussions to Be Aware Of

By Aida Joaquin Acosta

For the lawyer who practices across international borders, autonomous vehicles (AVs) may become an important practice area in the coming years. But these jet-setters should be aware of the three “mega-trends” that are occurring across the globe and that may have an impact on their clients: changes in national laws, the effect of international treaties, and international regulations on cybersecurity and data protection.

National Laws

Countries are developing new regulations and adapting their national laws to AVs, but many of these countries will also need to adapt certain international regulations if fully automated vehicles are going to become legal. Many countries are working on their national regulations to adapt them to AV. For instance, in the United States, both the U.S. House of Representatives and the Senate’s Commerce, Science, and Transportation Committee have introduced two self-driving car bills—the House’s SELF DRIVE Act1 and the Senate Committee’s AV START Act—2 aiming to avoid state patchwork legislation.

Governments of the European Union (EU) signed the Declaration of Amsterdam to work for a coherent AV regulatory framework by 2019, if possible.3 The European Parliament (EP) also asked to prioritize AV regulation, at the European and global levels, to avoid fragmented regulatory approaches.4 Some EU member states, such as France, Germany, Spain, and the United Kingdom, already adapted their national regulations to allow AV testing on public roads.

Singapore amended its Road Traffic Act in 2017 to allow AV testing on public roads too; and Japan is also working to have legislation ready by 2019, before the 2020 Olympics. Also, Brazil, China, and Russia are starting to think of adapting regulation for AV.5

But many of these countries also will need to adapt international standards or treaties they are part of to make these vehicles legal, and lawyers need to be aware of these discussions to understand the AV regulatory maze.

International Treaties on Road Safety

The 1949 United Nations (UN) Geneva Convention on Road Traffic6 and the 1968 UN Vienna Convention on Road Traffic7 are remarkable examples because of their impact in national laws and the number of countries they involve. The Vienna Convention (73 contracting parties) replaces the Geneva Convention (96 contracting parties); however, those countries who signed Geneva but did not ratify Vienna are still bound by the former. These Conventions establish uniform traffic rules and were created to facilitate international road traffic and safety.

However, if these Conventions are not updated to reflect current technology, they may be hampering the deployment of fully automated vehicles, which are expected to drastically reduce accidents due to human errors—the cause 90 percent of road accidents.8

For more than a decade, countries have been working to keep UN conventions and regulations on road traffic updated with technological safety improvements, but fully automated vehicles may require more profound changes in the treaties.

Two United Nations Economic Commission for Europe (UNECE) intergovernmental bodies have been working to adapt the Conventions and related UN technical regulations: the Global Forum for Road Traffic Safety (WP.1) and the World Forum for the Harmonization of Vehicle Regulations (WP.29).9 They have been, for example, generating guidelines for the design of advanced emergency braking systems or lane departure warning systems10 and updating the Conventions consequently.

However, fully automated vehicles may require deeper changes in the treaties to become legal because both Conventions rely on humans to control the vehicle, whereas in fully automated vehicles humans surrender the control to the vehicle itself.11

This shift has profound implications for the Conventions, requiring further clarification on key concepts of the texts, such as the nature and role of the driver and the nature of vehicle control.12 For example, regarding driver requirements, Article 8 of both Conventions specifies that every vehicle shall have a driver, who should be able to control the vehicle at all times. Article 8 of the Vienna Convention adds additional requirements for the driver, such as possessing the necessary physical and mental abilities and conditions to drive and minimizing secondary activities, such as hand-held phones in vehicles (paragraph added in 2006).

The fact that the Vienna Convention is, in some terms, more restrictive than the Geneva Convention could generate differences on the interpretation of the treaties and affect how fast countries adopt regulations. For example, it could happen that countries part of the Vienna Convention could find it more difficult to issue fully automated vehicle regulations than those that are only parties of Geneva (the United States, Japan, or Spain and the United Kingdom, for example) or those that are not parties of either Convention, like China.

In 2016, WP.1 amended13 the Vienna Convention, allowing the use of certain automated functions in vehicles, but still it is not enough for fully automated vehicles. This amendment still requires that every vehicle have a driver who may take hands off the wheel but who must be ready at all times to take back the control of the vehicle, override the system, and switch it on and off, a requirement mostly incompatible with high or full automation.14

UNECE is now working on aligning these Conventions and related UN regulations to fully automated vehicles. The ongoing discussions mainly consider three possibilities: developing guidance on interpreting problematic terms, such as the role and nature of the driver and nature of control; amending the Conventions; or creating a new convention for AV. Some countries are advocating for a mixed approach: to release guidelines for interpretation in the short term and to work on an amendment for fully automated vehicles for the long term, as protocols or amendments are very time-consuming processes.15

Regulations on Cybersecurity and Data Protection

The international regulatory agenda is starting to include new aspects of road safety related to AV: cybersecurity and data protection. For example, the Ministers of Transport of the G7 are shifting their attention to these issues. In their Declaration on Automated and Connected Driving16 in 2015, Ministers called for cooperation on ensuring data protection and cybersecurity, in addition to the coordination and adaptation of the regulatory framework and technical regulations that UNECE already is undertaking. This vision was reinforced in their meeting in Japan, in 2016,17 and again at Toronto, in 2017. 18

UNECE also realized that digitalization of transport is demanding new safety requirements for vehicles and infrastructure and for the protection of rights and liberties.19 In November 2017, UNECE identified 86 threats to security, and it is now discussing how to prevent or mitigate them.20 In December 2017, it created the Task Force for Cyber Security and Over-the-Air issues (TF-CS/OTA),21 which is working on two recommendations (cybersecurity and data protection, and software updates) that are expected by March 2018.22

In March 2017, UNECE already released guidelines on cybersecurity and data protection for the construction of AVs23 to help in the interim until more research is in place (art. 1.5 of the guidelines). These guidelines define the three elements of cybersecurity as confidentiality, integrity, and authenticity of the information and establishes the principles of data protection by default and data protection by design. Future UN regulations will have to follow these guidelines.

EU efforts also resonate with UNECE’s reinforcing the cybersecurity and privacy regulatory frameworks. In cybersecurity, the EU is working on the so-called “Cybersecurity Package”24 to complement the Directive on Security of Network and Information Systems (NIS) of 2016. In the Cybersecurity Package, the EU will establish a European certification framework for ICT security products, as a one-stop shop for cybersecurity certification, which will rely mostly on international standards, such as the UNECE guidelines on cybersecurity.

With regards to privacy, the EU is working on the new ePrivacy Regulation25 that will complement the General Data Protection Regulation (GDPR). The ePrivacy Regulation will replace the ePrivacy Directive and will add stronger protection to content and metadata of communications, which can occur among automated vehicles or vehicles and infrastructure.


Changes in national laws and changes in international treaties relating to road safety, cybersecurity, and data protection are currently at the top of the international regulatory agendas. These discussions are key for lawyers to make sense of the whole AV regulatory picture, as they may affect AV national regulations and their international commerce. In their regulatory efforts, governments are trying to find the right balance between acting faster at the national level and acting harmonically at the international level, so that they can bring AV benefits earlier to society. 


1. SELF DRIVE Act, H.R. 3388, 115th Cong. (2017), https://www.congress.gov/bill/115th-congress/house-bill/3388/text.

2. AV START Act , S. 1885, 115th Cong. (2017), https://www.congress.gov/bill/115th-congress/senate-bill/1885.

3. Declaration of Amsterdam (2016), https://www.regjeringen.no/contentassets/ba7ab6e2a0e14e39baa77f5b76f59d14/2016-04-08-declaration-of-amsterdam—-final1400661.pdf.

4. European Parliament Civil Law Rules on Robotics (2016), http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML%2BCOMPARL%2BPE-582.443%2B01%2BDOC%2BPDF%2BV0//EN.

5. AV Readiness Index, KPMG (2018), https://assets.kpmg.com/content/dam/kpmg/xx/pdf/2018/01/avri.pdf.

6. Geneva Convention on Road Traffic, at 22-101 (1949), https://treaties.un.org/doc/Publication/UNTS/Volume%20125/v125.pdf.

7. Vienna Convention on Road Traffic (1968), https://www.unece.org/fileadmin/DAM/trans/conventn/crt1968e.pdf.

8. European Parliament Briefing in AV 87 (2016), http://www.europarl.europa.eu/RegData/etudes/STUD/2016/573434/IPOL_STU(2016)573434_EN.pdf.

9. WP.1 was established in 1988 as “Working Party on Road Safety,” continuing the work of the Ad Hoc Working Group on the prevention of road accidents created in 1950. In 2017, the WP.1 changed its name to “Global Forum for Traffic Safety.” WP.29 was established in 1952 as “Working Party on the Construction of Vehicles” and in 2000 it became the “World Forum for Harmonization of Vehicle Regulations.”

10. UNECE Design Principles for Control Systems (2012), https://www.unece.org/fileadmin/DAM/trans/doc/2010/wp29/WP29-157-06e.pdf.

11. BRIEFING IN AV, supra note 8, at 55.

12. WP.1, Draft of Common Understanding on the Use of Automated Driving Functions (2017), https://www.unece.org/fileadmin/DAM/trans/doc/2017/wp1/ECE-TRANS-WP1-2017-Informal-2e.pdf

13. The amendment entered into force in March 2016, allowing automated functions to assist drivers if these functions followed international technical agreements or they could “be overridden or switched off by the driver.” (See Vienna Convention art. 8.5bis, https://www.unece.org/fileadmin/DAM/trans/conventn/Conv_road_traffic_EN.pdf.)

14. The amendment may allow automated systems in levels 3 and even 4 of automation, but not in level 5 (terminology of the Society of Automotive Engineers’ International Standard J3016-2014). See http://www.europarl.europa.eu/RegData/etudes/STUD/2016/573434/IPOL_STU(2016)573434_EN.pdf (55).

15. WP.1 Draft, supra note 12.

16. G7 Declaration on Automated and Connected Driving (2015), https://ec.europa.eu/commission/commissioners/2014-2019/bulc/announcements/g7-declaration-automated-and-connected-driving_en.

17. G7 Declaration (2016), http://www.mlit.go.jp/common/001146631.pdf.

18. G7 Declaration (2017), http://www.g8.utoronto.ca/transport/170623-G7-Transport-Declaration.html.

19. UNECE, Guidelines on Cybersecurity, https://www.unece.org/fileadmin/DAM/trans/doc/2017/wp29/ECE-TRANS-WP29-2017-046e.pdf.

20. UNECE’s 12th AV Informal Group Meeting (2017), https://wiki.unece.org/pages/viewpage.action?pageId=54427891&preview=/54427891/54428639/(ITS_AD-13-02)%20Major%20results%20and%20action%20items%20of%20the%2012th%20meeting%20of%20Informal%20Group.pdf.

21. UNECE’s WP.29 Informal Working Group on Automated Driving (IWG ITS/AD) created the Task Force for Cyber Security and Over-the-Air (TF-CS/OTA) on December 2017.

22. TF-CS-OTA status report (2017), https://wiki.unece.org/pages/worddav/preview.action?fileName=%28ITS_AD-13-04%29++%28Sec+TF-CS_OTA%29+Status+report++TF-CS_OTA.pdf&pageId=54427891.

23. UNECE Guidelines on Cybersecurity, supra note 19.

24. European Union, Cybersecurity Package, https://ec.europa.eu/digital-single-market/en/eu-cybersecurity-certification-framework.

25. European Union, ePrivacy Regulation Proposal, https://ec.europa.eu/digital-single-market/en/proposal-eprivacy-regulation.


Aida Joaquin Acosta

Fellow at Harvard University’s Berkman Klein Center

Aida Joaquin Acosta is a Fellow at Harvard University’s Berkman Klein Center working on A.I. and autonomous vehicles. She is also a Senior Public Official of the Spanish Government and, for the last ten years, she has been advising on the intersection of European regulatory, technology, and policy issues.